Top Story

Michael Lewis' new book "Flash Boys" has whipped up a furious tornado of criticism about high frequency trading. But the market and regulators need to resist the urge to ban the practice and instead embrace the notion of high frequency monitoring and surveillance.

Top Story

International banks and other global private entities need to ensure that they do more than pay lip service to the data privacy laws of sovereign states, writes Andrew Waxman of IBM's consulting practice.

Top Story

The SEC’s proposed Regulation SCI is intended to protect market technology from outages and technical glitches. But industry commentators contend the rule doesn’t include all market participants and underestimates the implementation costs. Here are five areas that market participants would like to change.

Top Story

Michael Lewis' new book "Flash Boys" has whipped up a furious tornado of criticism about high frequency trading. But the market and regulators need to resist the urge to ban the practice and instead embrace the notion of high frequency monitoring and surveillance.

Top Story

With the threat of rising rates on the horizon, banks are relying on existing “technologies” to avert the danger, such as duration risk, VaR and dynamic simulation, writes David Renz of SunGard's Ambit Treasury Management solution.

As you read this article, most likely on a mobile device, you could unwittingly be opening the way for cyber invaders. Maybe it was an email sitting in your inbox that you clicked on, maybe a link to a new business article or journal. And suddenly the walls of your enterpriseâ the walls that you have spent billions of dollars to secure with software and servicesâhave been beached in the blink of an eye.

Malcolm Gladwell in his book, "David and Goliath,â recently highlighted the somewhat counter-intuitive idea that in a clash between a David and a Goliath, the odds are generally stacked against the bigger, more highly favored opponent. Goliath is slow and lumbering, blinkered in his vision and rather hard of hearing. He has also has a rather outdated weapon at his disposal. Like Goliath, the modern large enterprise is slow; slow to react to changes in the business environment. It is also hard of hearing and updated information from clients and employees may not reach the ears of senior managers who can influence decisions made by the company. Furthermore, a combination of sunken investments and conservative thinking may delay decisions to invest in modern tools. Now contrast that with a small attacking force, the David in this encounter that has but one objective, to bring down the larger one. It dedicates its energies to that one goal and can take full advantage of modern weaponry to do so. This small opponent can change the message and have it understood by all its network members instantly. Today banks find themselves under siege from organizations dedicated to steal data, individual identities and account information and disrupt customer services. Like the US and Al Queda, vast entities find themselves outmatched by relatively tiny organizations.

It is unusual these days for a week or even a day to go by without publicity of a security breach at a large bank or retailer and it feels like this game has changed both in terms of the significance and the nature of that risk. The greater significance attached to data security can be seen in two ways. First of all, the publicity surrounding recent data breaches at large banks, retailers and credit companies has been richly deserved. There have been massive breaches and they have upended the assumptions made by customers when they transact in the most basic, everyday ways.

Second, in yesterday's world, the security of a bank's IT network was generally the domain of IT security chiefs, today, however, it is the CEO who owns it and is publicly responding to it. The issue of today is not just compliance with the regulatory control compliance framework but the loss of real assets, customers, data and revenue.

The elevation of data securityâs importance has been brought about by the revolution in the ways we transact, conduct and manage business. Customers access their accounts online as a matter of course, often on-the-go via a bewildering array of devices. The same is true of employees. We already take this for granted but it is a massive change and it has taken place in the blink of an eye.

Large US enterprises on the other hand have typically designed their IT security strategies around the paradigm of employees accessing a single IT network from enterprise compliant computer devices. While the network was frequently breached by viruses, worms and the like, such breaches incurred limited damage and created minimal reputational damage. This was because online customer transactions and account data were far less ubiquitous and so harder for an intruder to locate and steal from. Companies nevertheless started to make bigger investments to shore up their networks. Robust firewalls were put up to stop intruders from entering the network and virus software was installed. These investments focused on a view of the enterprise as a single network with a centralized command and control center.

Today those seeking to infiltrate a company's information assets, customer accounts, sales information and so on have many potential points of entry from unsuspecting customers and employees that can easily bypass a central firewall. Focusing on the firewall is rather like focusing on a missile defensive shield when terrorists are leveraging civil airliners. The Goliaths of today need to get a slingshot.

The key to turning the tables in this battle revolves around two key components; data and education. First, companies need to go through a process of identifying their data and their customers' data which is critical to protect. Once that critical data is identified, analytics should be built around how, when and who accesses the data. For instance, when does a customer typically access his or her account, from what device, what type of transactions are executed, how much for and so on.

For an employee, the analysis is similar, which employees touch this customer's account information and to perform which function? Understanding these normative patterns helps identify unusual activity that could indicate a breach has occurred. Investment in tools, people and processes that can detect deviations from such patterns of behavior is critical if companies are to move from defense to offense on this issue. Second, education of clients and employers continues to be of major importance and is still far from effective. Companies need to invest much more heavily in both data analytics and education on this issue if they are going to stop playing Goliath to the hackers' Davids.

Wall Street & Technology encourages readers to engage
in spirited, healthy debate, including taking us to task.
However, Wall Street & Technology moderates all comments posted to our site,
and reserves the right to modify or remove any content that it determines to be derogatory,
offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM.
Wall Street & Technology further reserves the right to disable the profile of any commenter participating
in said activities.